Have you gotten the error message “host key verification failed” when connecting to a remote server and are stuck wondering what it means and how to fix it? If so you have found your way to the right place. In this blog post, we will break down what the error means, possible causes, and the solution.
What Is SSH?
SSH stands for Secure Shell, it is one method for providing secure commutation over an untrusted network. It can be used for things like remote shell, file transferring, tunneling, and more.
What Is A FQDN?
FQDN stands for fully qualified domain name it is the full domain name assigned to the host for example server.example.com is an FQDN.
What Is Host Key Verification?
Host Key Verification is a security feature that is part of the SSH protocol. It is used to ensure the client you are connecting to is who they say they are. In other words, it is done to help prevent man-in-the-middle attacks.
When you connect to a server you have never connected to over SSH before you will get a message like this:
The authenticity of host ‘198.51.100.133 (198.51.100.133)’ can’t be established.
ED25519 key fingerprint is SHA256:*******************************************.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
- Line 1: This tells us that it could not verify the authenticity of the host you are connecting to.
- Line 2: Is information about the host key presented when opening the connection
- Line 3: Tells us the key is not known by any other names. For example, if you connect to the server by a different IP or FQDN.
- Line 4: The last line is a question, the question being do you want to continue connecting to the server even though the authenticity of the host could not be verified?
If you say yes, then the remote host key is stored in the ~/.ssh/known_hosts file after you log in using the password or SSH keys. That is then checked on when connecting to that host going forward.
Possible Causes of The Error
- Server Reinstallation or UpgradeWas the Operating System reinstalled or Upgraded? These could cause the system’s host key to be regenerated.
- Server Key RotationRotating the host key entry might be sometimes required in response to a cybersecurity incident.
- Changes in DNS or IP AddressIs the FQDN being used pointing at the correct IP address?
- Corrupt or Edited known_hosts FileBecause the known_hosts file contains the information stored on host keys if this file were edited or to become corrupt it could cause this error.
- DNS Spoofing or Man-in-the-Middle AttackThis cause is the most concerning of the causes for this message. If someone were to gain control over the domain used to connect or hijack the traffic at a network level they could force you to connect to another server you’re not intending to connect to (possibly stealing login information for the real server in the process).
Solutions
- Verify the Server’s Authenticity:Before making changes the first thing you will want to do is to confirm you aren’t being tricked by a man-in-the-middle attack (aka making sure you are connecting to what you think you are connecting to).Assuming DNS is correct elsewhere, are you connecting from a trusted network connection? If you are not please try again from a trusted network. If a trusted network isn’t directly accessible a trusted VPN could be an option.
- Remove the Old Key:To remove the old key there are two options first is using ssh-keygen and the second is to manually remove the entries from the known_hosts file.Option 1: Using ssh-keygen run:
ssh-keygen -R hostname
Option 2: To manually edit the known_hosts file open the file using your favorite text editor and remove the lines relating to the host you are having issues with. - Connect AgainNow that the old host key has been removed you should be able to connect again and will be prompted to add the correct host key.
Conclusion
The security feature host key verification can help detect man-in-the-middle attacks when connecting to servers you have already connected to before. Although when things don’t work out it means that you will need to determine the cause before you continue. In this blog post, we discussed what the error means, possible causes, and the solution.
Additional Links
Done Reading and looking for things to read? Why not check these links out?
Embracing a lifelong passion for technology since childhood, CJ delved into the intricate workings of systems, captivated by the desire to understand the unknown. This innate curiosity led to his discovery of Linux, a revelation that resonated deeply. With more than 7 years of on the job experience, he’s honed his technical skills as a Geek and Senior Linux Systems Administrator.
Leave a Reply